Why are we still talking about email security?
May 2023 by Deryck Mitchelson, Field CISO at cybersecurity company Check Point
Email security compromises are among the costliest in cyber. Last year, organizations lost over $2.7 billion in email fraud. Does this really need to continue, given the tools and resources available to security leaders?
The vast majority of CISOs do implement email security. However, there’s an incipient problem, an elephant in the room, that needs to be addressed. CISOs are often blindsided by this problem – they just don’t see it at all. The problem is that CISOs do not know whether or not their email security is actually working and if so, to what extent.
When asked about how they know that their current level of email security is providing the correct level of protection, many CISOs simply lack an answer. They’ve got nothing. In one recent conversation, a CISO said to me, ‘I don’t know if we have a problem with email or not.’
They don’t know about the number of dangerous links that have been clicked on. They don’t know if the number of phishing emails coming in is increasing or decreasing. And they’re not improving rules around quarantining or releasing emails. They’re not even in the operational space. Despite around 90% of cyber attacks originating from an email, it is seen as a black box.
Why CISOs aren’t seeing email risk
While CISOs can automate 99% of email security management, allowing automation to do the heavy lifting, there’s still 1% of the job that cannot be automated. It’s that 1% that CISOs and cyber security professionals are not paying attention to.
CISOs commonly have the impression that with certain products, such as Microsoft Office 365, email is natively secure or “secure enough”. However, unless a CISO has a team that is managing the product — dissecting the logs, working with the dashboards and scrutinizing ingress traffic — CISOs cannot actually understand the level of the email threat.
And do some CISOs take their eye off of the email security risk? Probably. Is there an assumption that cloud security providers are managing email risk for security leaders? Probably.
Why else are email risks marginalized?
Another truth is that email security is just not a hot topic. It’s not sexy. So cyber security leaders don’t want to be in that space. They would prefer to be in the space of orchestration technologies, DevSecOps technologies and cloud technologies.
In addition, because email has been around for decades, some security professionals might not believe just how vicious a modern email threat can be. They don’t really see an email as a high level threat, with an elevated level of risk.
For CISOs who do strive to guard against email threats, since CISOs may not get what they need from the dashboards, or that there may not be a report that provides a high-level overview of relevant email threat metrics, some are struggling to understand what exactly the email threat is and how to articulate it. Other security leaders might not even understand the magnitude of the threat until an attack is already in-motion and the email is in the inbox.
How the right email security cuts costs
CISOs also need to understand the level of overhead involved in inadequate email security; what it’s costing the business, and what that risk is. For example, prior to joining Check Point, my Security Operations teams spent all of 30-40% of their time managing emails.
That’s huge. Absolutely huge. For an organization that’s building their organizations internally, that’s a considerable amount of their time. I would go as far as saying that you could probably save several headcount from your team with proper email security.
Where to start improving email security
First of all, automating email security as much as possible is critical. CISOs should rely on really strong preventative technologies to automate and take away most of the risk. Secondly, security leaders need to ensure that the solutions implemented genuinely strengthen what is offered by cloud security providers, such as Microsoft (O365) or Google (Gmail).
Also, inline is important because inline means that it has the capability to prevent very quickly. And that’s what critical with email. A malicious rule can move an email before it is seen hiding an account compromise. A link will take a user to a hoax website that perfectly impersonates the actual one. Security leaders need to have that inline solution; preventing things from getting to mailboxes, thereby preventing compromise
Some frameworks do talk about best practices around email security and email security gateways. I’ve seen NIST talk about that. But best practices are just that; best practices. They’re not mandated.
I also wonder about the extent to which CISOs really consider what they’re purchasing. For instance, if security leaders are buying both an email client and purchasing email security from the same vendor, maybe it’s time to consider a secure email provider, which can greatly enhance email security. Or maybe it’s time to shift to a layered approach to email security.
What else can be done to evolve email security
At every conference, every security professional talks about email security as a #1 priority. But I have not found any organization that I think does it properly.
It just takes one malicious email to bring down an entire organization. One single malicious email could cost a business four or five million dollars in threat clean-up, remediation and legal expenses, should an employee click on the email.
Prevent threats from ever reaching users’ inboxes. Obtain security that blocks what the default layers of security miss. Develop and demonstrate expertise in measuring email threat metrics, present the results to management and the board, and continue to optimize your email threat prevention architecture.